This is a set of scripts I use to have an nftables firewall with portknocking.


Files
-----

- README: this file
- nftables.conf: the initial firewall configuration
- totp.lowres.py: script that generates 6 portnumbers depending on the hour
- newknockports.sh: script that edits the firewall using 6 portnumbers
- knock.sh: script that knocks to 6 portnumbers


Installation and Usage
----------------------

0. Edit totp.lowres.py so it has its 3 keys (see comments in that script).
   Edit knock.sh so it has the server IP-address.
1. On the client, put totp.lowres.py and knock.sh as executables under ~/bin/.
2. On the server, put nftables.conf in /etc/, make sure it is executable
   and make sure it is called on boot.
3. On the server, put newknockports.sh and totp.lowres.py under /root/bin/.
   Run newknockports.sh once to set the portnumbers right.
4. On the server, edit roots crontab to hold the following lines:
      @reboot /root/bin/newknockports.sh
      @hourly /root/bin/newknockports.sh
5. On the client perform your ssh-login directly (within 3 seconds) after
   running knock.sh.
